Provide support/documentation for running step isser as a namespace local issuer and not cluster issuer

[gerethd]

Running as a cluster issuer is not desirable and not allow us to isolate permissions on a namespace basis. There is a big security concern giving one issuer access to all of out namespaces for certificate requests, config maps, leases etc.

As an additional nicety, would like to see an option to not use helm for deploying resources. It's very black box unless we go inspect your repo.

[maraino]

I can think of a couple of things to limit the exposure:

• Changing/Deleting ClusterRoles/ClusterRoleBinding related to this project. The helm charts might be a good guide to this, see here.
• Another possibility would be to remove the CRD for the StepClusterIssuer, so you can only use StepIssuer resources that are namespace-specific.

I haven't tested any of those options.

[gerethd]

Unfortunately i deployed this as a namespace local issuer but the deployment container just complains about not being able to list resources at the cluster scope, specifically the manage container in the step issuer deployment

[maraino]

I suppose it would be simple to add a flag that does not start the StepClusterIssuerReconciler, and then with the helm chart, it should be easy to remove the cluster issuer roles, role bindings, and perhaps the CRDs.

[gerethd]

my need for this is no longer existent but I still see this as a valid use case, especially if this were used in an on prem enterprise context.

Not sure if you're waiting on me for anything but I think that would work.

[maraino]

I'll probably add the feature, but I haven't started to work on it yet.